This is slightly more complicated than it should be since we're using
custom authentication middleware (i.e., not Django's standard
middleware class). We have to check that the session auth hash we have
stored is equal to the request's session auth hash (since the stored
hash is a function of the password). Normally this gets handled in
`django.contrib.auth.get_user`, but due to our caching we don't go
through that function, even in the cache miss case.

ECOM-4288